In July 2017, after many months of public comment and open discussion on github, the US National Institutes of Standards (NIST) released revision 3 of special publication 800-63: Digital Identity Guidelines. This was a huge revision that separated out what used to be a single level of assurance into three separate components: Identity Assurance Level, Authentication Assurance Level, and Federation Assurance Level. It gets rid of things many of thought were counterproductive, like arbitrary password complexity requirements and time-based forced password changes. It notes that a one time password via SMS has some value, but is also weak (though they backed away from calling it "deprecated"). It also adds some very interesting concepts, like "additional authenticators" and "supervised remote enrollment".
For some, NIST 800-63 is something we have to follow. Others can look at it as guidance and a source of best practices. For all, it's a fairly long set of documents describing a complex subject (digital identity) that's at the absolute center of getting security right. So, let's spend some time working through NIST 800-63, look at these changes and new concepts, and see what separating identity from authentication from federation can mean for us.